Internet VPN Becomes too Complex and Limited for Growing Company
Like many retailers, Aquila needed to connect its many stores; an Internet-based VPN sounded like the right approach. It was available everywhere and didn’t pin the company to a carrier. And it was affordable, which made it well suited for connecting small retail outlets, some with only a single computer.
But as the premium quality footwear manufacturer grew, Internet-based VPNs limitations became all too apparent. With 60 retail locations, warehouses, a headquarters, and applications running in Azure, Aquila’s VPN became incredibly complex.
“With each new store, we had to manually establish VPN connections with every other location. At first, it wasn’t that big a deal, but with more sites, we ended up spending hours establishing the VPN. It just didn’t scale,” says Mike Zidaj, the IT Manager at Aquila.
And since stores had to be manually connected, uptime was often compromised. If the local staff didn’t properly connect the VPN then IT had to manually log in every Sunday to force a connection to enable inventory logging at the site. “At any one time, approximately 30 percent of our offices were showing offline at the headquarters,” he says.
“With each new store, we had to manually establish VPN connections with every other location. At first it wasn’t that big a deal, but with more sites, we ended up spending hours establishing the VPN. It just didn’t scale”
What’s more with encrypted traffic (HTTPS) only growing, Zidaj was increasingly losing visibility into company’s Internet usage. The firewalls lacked the horsepower to decrypt the traffic. “We attempted to do URL filtering with our aging, end-point control software but it was hard to manage, lacked centralized reporting, and not all that effective. Users could easily get around it,” says Zidaj.
As a result, security was at risk and visibility was limited. “We couldn’t tell if employees were watching YouTube or working. There was simply no easy way of enforcing security policies on Web traffic,” says Zidaj
Zidaj Rejects MPLS and Turns to Cyber Risk and Cato For Help
Zidaj began looking around for a solution not only for his connectivity and security challenges. He considered deploying an MPLS service: “A lot of retailers were using MPLS and local firewalls,” he says, “But the approach was too costly and would have locked us into the telco,” he says.
Zidaj heard about Cato and turned to CyberRisk, a Cato partner, for assistance. “As a thought leader and trusted advisor in enterprise networking and security, we are excited to partner with Cato Networks in the ANZ region and see the value Cato delivers to our customers,” says Leong Wang, Director of CyberRisk. “Cato Networks is a leader in next-generation networks with integrated security services and is a huge differentiate from the aging global telco model.”
Zidaj decided to take the plunge. He replaced his Internet-based VPN and end-point control software with Cato. Cato Cloud is the only managed SD-WAN service that connects and secures mobile users, the cloud, branch offices, and headquarters across Australia and the rest of the globe with the agility of the cloud.
“As a thought leader and trusted advisor in enterprise networking and security, we are excited to partner with Cato Networks in the ANZ region and see the value Cato delivers to our customers”
Zidaj leveraged Cato’s mobile security and optimization to connect small locations with just a Cato Mobile Client. Avoiding appliances at each retail location significantly simplified deployment. Without an appliance to install and maintain, deployment was quick and simple. What’s more, all too often retail locations set in malls can only gain Internet access through private IPs provided through the mall’s Internet provider. Unlike many SD-WAN solutions, the Cato Mobile Client, as well as Cato’s SD-WAN device, the Cato Socket, can operate behind a NAT.
Zidaj equipped the computers at each retail store with Cato mobile clients. The mobile client sends all traffic across an encrypted tunnel automatically established to the nearest Cato point of presence (PoP). Cato Cloud currently covers all major Australian business centers from PoPs in Perth, Melbourne, and Sydney.
His Azure instances were connected through Cato’s agentless integration into Cato Cloud. A few clicks on the Cato Management Console and an IPsec VPN connection was established from the Cato PoPs to Microsoft Azure. Cato collocates its PoPs in the same physical datacenters as the Internet Exchange Points (IXPs) of the leading cloud datacenter providers, such as AWS and Azure.
“Deployment was good, and the setup was pretty simple and straightforward,” he says, “The Cato sales team, Cato Support, and CyberRisk helped a lot. It went well. We selected Cato, in part, because of its super quick and easy deployment.”
When Zidaj is ready, he’ll also be able to connect larger locations with Cato Sockets. Cato Sockets connect load balance traffic across multiple circuits — MPLS or Internet (DSL, Cable, LTE and more) for maximum performance and uptime. Sockets correct for packet loss and dynamically route Internet and WAN traffic across the optimum last mile to the nearest Cato PoP. The PoP’s cloud-native software inspects all traffic, even SSL/TLS traffic, applying the necessary networking and security policies. Traffic is forwarded across Cato’s global network or onto the Internet. All Cato Sockets come with Affordable High Availability (HA) built-in for inexpensive redundancy.
Deployment is Simple, Visibility and Control Improve Significantly
Since deploying Cato, Zidaj has seen uptime improve significantly. “Our Cato dashboard now usually shows all locations connected and says users have noticed the more reliable access,” he says.
Better network connectivity has directly impacted the business. “Now our inventory database stays current because with Cato our connectivity is so solid. If there’s a brownout or even a blackout on one line, Cato auto-connects by itself,” he says.
“Now our inventory database stays current because with Cato our connectivity is so solid. If there’s a brownout or even a blackout on one line, Cato auto-connects by itself”
And with Cato’s next-generation firewall (NGFW) inspecting all Internet and WAN traffic — encrypted and unencrypted — Zidaj is able to better secure his network. “The single pane management also gave us much improved control and visibility. Management is now able to see if shop staff are visiting Web sites that didn’t comply with our security policies — and take action.”